> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cognite.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Register core Cognite apps

> Register the Cognite API and applications in Amazon Cognito for organizational sign-in.

To allow users to sign in to Cognite Data Fusion (CDF) and Cognite apps with their existing organizational ID, you first need to register the Cognite API and permit it to access user profiles in your Amazon Cognito tenant. You then register the Cognite applications you want to allow users to access.

Follow the steps below to allow users to sign in to Cognite Data Fusion (CDF) and Cognite apps.

<a id="step-1" />

## Step 1: Register the Cognite API and authentication and authorization servers

<Steps>
  <Step title="Sign in to Amazon Cognito">
    Sign in to the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home) as an admin. If prompted, enter your AWS credentials.
  </Step>

  <Step title="Select a user pool">
    Select an existing user pool from the list, or create a user pool.
  </Step>

  <Step title="Register the Cognite API:">
    1. Under **Branding**, select **Domain**.

    2. Under **Resource servers**, select **Create resource server**.

    3. In **Resource server name**, enter *Cognite API*.

    4. In **Resource server identifier**, enter *[https://cognitedata.com](https://cognitedata.com)*.

    5. Under **Custom scopes**, add two scopes:

       * Scope name: `IDENTITY` and description: `identity`
       * Scope name: `user_impersonation` and description: `User impersonation`.

       [**Learn more**](/cdf/access/concepts/access_token_scopes) about the scopes.

    6. Select **Create resource server**.
  </Step>

  <Step title="Register the resource server">
    Register the resource server for Cognito **service account authentication**:

    1. Under **Branding**, select **Domain**.

    2. Under **Resource servers**, select **Create resource server**.

    3. In **Resource server name**, enter *Service account*.

    4. In **Resource server identifier**, enter *https\:/*. (NOTE: It's *https\:/* and not *https\://* )

    5. Under **custom scopes**, add a scope:

       * Scope name: *IDENTITY* and description: *identity*
       * Scope name: *\{\{cluster}}.cognitedata.com* and description: *audience*.

       [**Learn more**](/cdf/access/concepts/access_token_scopes) about the scopes.

    6. Select **Create resource server**.
  </Step>

  <Step title="Register a Cognite authorization server">
    1. Under **Applications**, select **App clients** > <span class="ui-element">Create app client</span>.

    2. Under **Application type**, select **Machine-to-machine application**.

    3. Name your application *Cognite authorization server* and select **Create app client**. The client secret is created automatically.

    4. In **App client information**, select **Edit**.

       * Under **Authentication flows**, select **ALLOW\_USER\_AUTH**, **ALLOW\_USER\_SRP\_AUTH**, and **ALLOW\_REFRESH\_TOKEN\_AUTH**, and then select **Save changes**.

    5. Under the **Login pages** tab, select **Edit**.

       * In **Identity providers**, select **Cognito user pool**.
       * In **OAuth 2.0 grant types**, select **Client credentials**.
       * In **Custom scope**, select *\{\{cluster}}.cognitedata.com*.
       * At the bottom of the page, select **Save changes**.
  </Step>
</Steps>

<a id="step-2" />

## Step 2: Register the Cognite Data Fusion application

<Steps>
  <Step title="Sign in to Amazon Cognito">
    Sign in to the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home) as an admin. If prompted, enter your AWS credentials.
  </Step>

  <Step title="Select a user pool">
    Select an existing user pool from the list, or create a user pool.
  </Step>

  <Step title="Select Create app client">
    Under **Applications**, select **App clients**, and then select <span class="ui-element">Create app client</span>.
  </Step>

  <Step title="Under Application type, select Traditional web application" />

  <Step title="Name the application">
    Name your application *Cognite Data Fusion*.
  </Step>

  <Step title="Create a client secret">
    In **Return URL**, enter *[https://auth.cognite.com/oauth2/external/callback](https://auth.cognite.com/oauth2/external/callback)*, and select **Create app client**. The client secret is created automatically.
  </Step>

  <Step title="In App client information, select Edit">
    * Under **Authentication flows**, select **ALLOW\_USER\_AUTH**, **ALLOW\_USER\_SRP\_AUTH**, and **ALLOW\_REFRESH\_TOKEN\_AUTH**, and then select **Save changes**.
  </Step>

  <Step title="Under the Login pages tab, select Edit">
    * In **Identity providers**, select **Cognito user pool**.
    * In **OAuth 2.0 grant types**, select **Authorization code grant**.
    * In **OpenID Connect scopes**, select **Email**, **OpenID**, and **Profile**.
    * In **Custom scopes**, select **[https://cognitedata.com/user\_impersonation](https://cognitedata.com/user_impersonation)**.
    * At the bottom of the page, select **Save changes**.
  </Step>

  <Step title="Activate the Cognite Data Fusion sign-in page">
    * Under **Branding**, select **Managed login** > **Create a style**.
    * Select the **Cognite Data Fusion** app client, and then select **Create**.
  </Step>
</Steps>
